Archive for March, 2009

From Lori MacVittie’s Blog…
Can the Cloud survive regulation?
Lori MacVittie questions whether a more regulated cloud would survive new laws and regulations? Concerns have been raised by multiple industries on the reliability and security of the cloud in general. Until conflicts between security, regulations, reliability, and privacy are addressed, the cloud may be unsuitable for any organizational use.

From around the Blogosphere…
Since the CanSecWest conference there has been much buzz surrounding vulnerabilities and their price tag. Here are three different perspectives on the issue.

ZDNet | Zero Day
“No more free bugs”? There never were any free bugs
Adam O’Donnell argues that vulnerabilities were never free, and that vulnerability researchers were always compensated some way. Adam continues his argument by briefly describing the history of vulnerability research, and how it has remained relatively the same.

Matasano Chargen
Vulnerability Research: Times They Are A-Changin’
Dave Goldsmith believes the trend of selling and buying vulnerabilities has changed. Dave outlines the different components which go in to research and describes how its changed over time.

The Mac Security Blog
Interview with Mac Hacker Charlie Miller
Peter interview Charlie Miller, the security researcher who hacked a Mac in ten seconds at the conference. In the interview, Charlie vows he’ll never give a bug for free.

Today, NCP Engineering announced the launch of an end-to-end Secure Enterprise Solution. The idea is to combine IPsec and SSL management with strong policy enforcement in an integrated collection of VPN components. Components of the solution include:

A centrally-controlled software solution that provides network administrators with a single point of administration for a company’s entire IPSec and SSL VPN network, as well as full NAC management.  All status information is made graphically available on the system monitor in real time, and plug-in updates and configuration settings can be easily controlled and distributed.  User data can be imported via standardized interfaces from existing directory services and identity and access management systems (IAM).  Built-in transition software ensures redundancy systems guarantee high availability of the management system, avoiding costly downtime and loss of policy settings.

A hybrid IPSec and SSL gateway that controls and monitors all VPN connections to and from the central data network.  It offers high availability clustering to maintain network performance speeds and allows administrators to run up to 10,000 concurrent SSL sessions.  Unique to NCP, the gateway provides one plug-in for full network access. The NCP Secure Enterprise Server supports the industry’s widest variety of endpoint platforms and any IPSec-based device, including the iPhone.

A bundled client, personal firewall and dialer provide the most secure end-point connection for the industry’s widest array of platforms, including Windows-based (Mobile 5/6x, CE, XP/Vista 32/64-bit, 7 beta), Symbian (S60 3rd Edition) and Linux-based operating systems.  The universally-adaptable IPSec client is seamlessly compatible with any gateway on the market.  The user-friendly GUI and intelligent policy enforcement provide even non-technical users with a one-click VPN.  The client’s latest features include Wireless Service Provider Roaming (WISPr) and streamlined Universal Mobile Telecommunications System (UMTS) Card support, and a budget manager for wireless minutes.

You can catch a demo of the Secure Enterprise Solution by visiting NCP at RSA (April 20-24) booth #1356-1 or Infosecurity Europe (April 28-20) booth #M90.

From Tech Sanity Check…
Smartphone shakeout: Android and Windows Mobile could get squeezed
Jason Hiner outlines the smartphone market and analyzes the current market leaders. Jason also points out the intent to purchase are different between businesses and consumers, because there are more mobile OS systems to choose from than computer OS systems. Jason highlights the key aspects for business smartphone purchases—and security is definitely on the list.

From Lori MacVittie’s Blog…
Please fasten your seatbelts, there’s turbulence in that there cloud
Lori MacVittie argues that the cloud is not ready to replace your entire data center. There is a lack of policy enforcement, application/data access and rules enforcement on end-users. Also, the level of difficulty of enforcing SSL in a ‘small footprint’ way for end-devices is too much.

From ZDNet | Zero Day…
BBC botnet buy: What were they thinking?
Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, did a guest blog post this week. Roel shares with us that a team within the technology department at the BBC bought a botnet as an experiment, and self-spammed themselves and DDoS-ed. Roel not only expresses his thoughts on this situation, but also his frustration in this post.

CNET recently covered the broad sweep of the Internet Safety Act – exactly how open are these guidelines to interpretation?

We’ve heard questions of whether the record keeping requirements will apply to every wi-fi network (think: coffee shops, office buildings, public places, even home networks). Some interpretations suggest that the Internet Safety Act would require keeping 2 years of records data on anyone who accesses a given network – anyone providing “an electronic communication service or remote computing service.” This might be not just public hotspots, but password-protected ones, individuals, small businesses, large corporations, libraries, schools, universities, government agencies …

This seems to pose some major privacy and technical challenges. We’d be interested to know if anyone has any insights on this… how will lawmakers address these challenges, and is this bill realistic to begin with?

Raffy’s Computer Blog…
The Bad, The Ugly, and the Good
Given the current economy, Peter Kauper points out companies must leverage its IT spending, and plan accordingly. Trends have shown that hardware spending is down, while software is on the raise. What does this mean for the future of IT and security spending?

Lori MacVittie’s Blog…
4 Reasons We Must Redefine Web Application Security
Lori argues we have to stop debating where web application security belongs and go back to the beginning and redefine what it means in a web driven distributed world.

Around the Blogosphere…
Next Monday, March 16th, Cisco will launch its ‘United Computing’ data center strategy. There is much speculation that Cisco will use the event to unveil its data center blade servers, which sources say combine server, switching and virtualization in one integrated system.

Network World
Microsoft, Intel to back Cisco’s “Unified Computing” launch
Although Cisco will not disclose any information yet, it is expected that Cisco will “show how its unified communications approach for the data center will run as one unified platform bringing together these different silos, allowing for lower cost of ownership, power utilization and improved performance”.

Rational Survivability
Sun vs. Cisco? I’m Getting My Popcorn…
Chris Hoff argues against Scott Lowe’s blog post, Is Sun Preparing to take on Cisco?. Chris not believes Cisco is getting in the server business, while Scott believes Cisco is, and is ‘distracted’. We shall see Monday…

Cisco Data Center Networks Blog
Building a Better Blade Server – Network Style…..
Cisco made a post after much buzz saying it will not be building a blade server. “What we are doing with Unified Computing is so much more than just a blade server that even using terms like blade server in the same sentence with Unified Computing doesn’t do the architecture justice.” We’ll just have to wait and see on Monday.